public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Bret Barkelew" <bret.barkelew@microsoft.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
	"zhichao.gao@intel.com" <zhichao.gao@intel.com>,
	"afish@apple.com" <afish@apple.com>,
	Laszlo Ersek <lersek@redhat.com>
Cc: Jeff Brasen <jbrasen@nvidia.com>,
	"Wang, Jian J" <jian.j.wang@intel.com>,
	"Wu, Hao A" <hao.a.wu@intel.com>,
	"Yao, Jiewen" <jiewen.yao@intel.com>,
	Liming Gao <gaoliming@byosoft.com.cn>,
	"Ni, Ray" <ray.ni@intel.com>
Subject: Re: [EXTERNAL] [edk2-devel] [PATCH 1/1] MdeModulePkg/BmpSupportLib: Allow BMP with extra data
Date: Thu, 1 Apr 2021 17:37:19 +0000	[thread overview]
Message-ID: <MW4PR21MB1907C8525208513CBA507D99EF7B9@MW4PR21MB1907.namprd21.prod.outlook.com> (raw)
In-Reply-To: <MWHPR11MB16477863102ED893F637ADA2F67D9@MWHPR11MB1647.namprd11.prod.outlook.com>


[-- Attachment #1.1: Type: text/plain, Size: 5502 bytes --]

I agree with the proposal for a deeper security review.

I also would suggest that we can provide tooling with BaseTools to check and/or correct the format of a BMP to match what the code expects (since there seems to be ambiguity in the spec/implementation). We’ve got a validator in Mu and would be happy to put together some patches to at least get this started for the community to hammer on.

- Bret

From: Gao, Zhichao via groups.io<mailto:zhichao.gao=intel.com@groups.io>
Sent: Monday, March 29, 2021 6:35 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; afish@apple.com<mailto:afish@apple.com>; Laszlo Ersek<mailto:lersek@redhat.com>
Cc: Jeff Brasen<mailto:jbrasen@nvidia.com>; Bret Barkelew<mailto:Bret.Barkelew@microsoft.com>; Wang, Jian J<mailto:jian.j.wang@intel.com>; Wu, Hao A<mailto:hao.a.wu@intel.com>; Yao, Jiewen<mailto:jiewen.yao@intel.com>; Liming Gao<mailto:gaoliming@byosoft.com.cn>; Ni, Ray<mailto:ray.ni@intel.com>
Subject: Re: [EXTERNAL] [edk2-devel] [PATCH 1/1] MdeModulePkg/BmpSupportLib: Allow BMP with extra data

The patch would let the BMP file that with a bunch of data pass the check, no matter the data is valid or not. Do we have other docs to descript which data is allowed and valid?

Correct the Cc mail address and invite more experts for security review.

Thanks,
Zhichao

From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Andrew Fish via groups.io
Sent: Thursday, March 25, 2021 11:00 AM
To: edk2-devel-groups-io <devel@edk2.groups.io>; Laszlo Ersek <lersek@redhat.com>
Cc: Jeff Brasen <jbrasen@nvidia.com>; bret.barkelew@microsoft.com; Wang, Jian J <jian.j.wang@intel.com>; ao.a.wu@intel.com
Subject: Re: [EXTERNAL] [edk2-devel] [PATCH 1/1] MdeModulePkg/BmpSupportLib: Allow BMP with extra data



On Mar 24, 2021, at 11:26 AM, Laszlo Ersek <lersek@redhat.com<mailto:lersek@redhat.com>> wrote:

On 03/24/21 16:25, Jeff Brasen wrote:
Some of the logo files we received for the group that makes our assets like this (not sure what tool they were created with) look like they pad the BMP size to 8 bytes.

TranslateBmpToGopBlt: invalid BmpImage...
  BmpHeader->Size: 0xE1038
  BmpHeader->ImageOffset: 0x36
  BmpImageSize: 0xE1038
  DataSize: 0xE1000
TranslateBmpToGopBlt: invalid BmpImage...
  BmpHeader->Size: 0x2A3038
  BmpHeader->ImageOffset: 0x36
  BmpImageSize: 0x2A3038
  DataSize: 0x2A3000
TranslateBmpToGopBlt: invalid BmpImage...
  BmpHeader->Size: 0x5EEC38
  BmpHeader->ImageOffset: 0x36
  BmpImageSize: 0x5EEC38
  DataSize: 0x5EEC00

So, each of these has 2 bytes of padding at the end of the file. We could write a tool that would do the same size recalculation in order to update the size in the header and remove the two bytes but it seems that this is a valid BMP file and it doesn't seem correct that UEFI is rejecting it. I can update the commit message with more context if needed as well.

If there's a spec describing the BMP format,

Yes and there are various flavors as at some point I had some graphics given to me in a format that did not work (I think it was BITMAPV4HEADER) :(.

https://en.wikipedia.org/wiki/BMP_file_format#cite_note-DIBhelp-5<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FBMP_file_format%23cite_note-DIBhelp-5&data=04%7C01%7CBret.Barkelew%40microsoft.com%7C962ec4d4113f436d738f08d8f31c267c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637526649524198979%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=M0IaRFkFKzmJKGZs9fYioFQHuV4hssMUXD7qLdB1lV0%3D&reserved=0>

edk2 supports ‘BM’ and the BITMAPINFOHEADER DIB. I seem to remember DIBs are defined by the size. So ‘BM' is a Microsoft Spec:
https://docs.microsoft.com/en-us/previous-versions/ms969901(v=msdn.10)?redirectedfrom=MSDN<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fms969901(v%3Dmsdn.10)%3Fredirectedfrom%3DMSDN&data=04%7C01%7CBret.Barkelew%40microsoft.com%7C962ec4d4113f436d738f08d8f31c267c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637526649524198979%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=mywuMJCCBcROvw3o89VeLWYI9VWjiMsqZabFg8jYM%2B0%3D&reserved=0>

The quote in that spec is:

The file extension of a Windows DIB file is BMP. The file consists of a BITMAPFILEHEADER structure followed by the DIB itself. Unfortunately, because the BITMAPFILEHEADER structure is never actually passed to the API, not every application that generates BMP files fills out the data structure carefully. To add to this confusion, the "proper" definition of the structure is at odds with the documentation. Properly, the data structure contains the following fields:

The explanation of size field is:
A DWORD that specifies the size of the file in bytes. The Microsoft Windows Software Development Kit (SDK) documentation claims otherwise. To be on the safe side, many applications calculate their own sizes for reading in a file.

I would say that is not exactly a ringing endorsement from a spec point of view on depending on that field. So it seems like that patch may be reasonable, but we should triple check it does not break any security related assumptions.

Thanks,

Andrew Fish

and edk2 is needlessly
strict, and the check can be relaxed without security risks, then I
think a patch would be fair.

Thanks
Laszlo







[-- Attachment #1.2: Type: text/html, Size: 11990 bytes --]

[-- Attachment #2: F0EC9BD5722B471983D77D317B3A9240.png --]
[-- Type: image/png, Size: 140 bytes --]

  reply	other threads:[~2021-04-01 17:37 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-23 17:29 [PATCH 1/1] MdeModulePkg/BmpSupportLib: Allow BMP with extra data Jeff Brasen
2021-03-23 17:41 ` [EXTERNAL] [edk2-devel] " Bret Barkelew
2021-03-24 11:31   ` Laszlo Ersek
2021-03-24 15:25     ` Jeff Brasen
2021-03-24 18:26       ` Laszlo Ersek
2021-03-25  3:00         ` Andrew Fish
2021-03-30  1:35           ` Gao, Zhichao
2021-04-01 17:37             ` Bret Barkelew [this message]
2021-04-16 17:12               ` Jeff Brasen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=MW4PR21MB1907C8525208513CBA507D99EF7B9@MW4PR21MB1907.namprd21.prod.outlook.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox